Graham, The solution that Rick describes in his post is similar to the one that we used when faced with this challenge. Solving the domain admins issue was rather easy because not many users where domain admins and file shares were not acl'd using the domain admins group. What you want to watch out for are situations where you have granted access to resources via the domain users group or added local administrative rights to a workstation via domain users. One way we solved certain issues was to create an nt4 group, populate it, grant it access to resources and then migrate the group.
-------------------------------------- Robert Contreras, MCSE/MCT INS - International Network Services [EMAIL PROTECTED] C: 908-208-4580 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, June 06, 2003 8:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] sidhistory of well known groups Graham, You cannot migrate the well known groups from one domain (or forest) to another. The SIDS are universally the same. ADMT will attempt, however the well-known already exists, and you cannot migrate it. Our solution was to take an inventory of who / what was member of the groups (or included membership of) and recreate that via scripting, manual methods, what have you. If someone else has a solution, great - I hope that they do for the sake of your time in collecting the data. Otherwise, you do have a task - not monumental, but not small either. BTW, our environment - 15k desktops, 25k users. Lots of groups. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, June 06, 2003 7:44 AM To: [EMAIL PROTECTED] Dear all, have posted quite recently with no feedback so hoping this time round to get a bit more info, still looking at strategy for migration of the well known accounts - "Domain Admins" / Domain Users on which a lot of domain security is based. thought this was where the Group mapping and merging wizard gave us some help. using it to map sourcedom\Domain Admins to targetdom\Domain Admins with the "migrate group sids" option enabled - i assumed this would populate the Sidhistory of the targetdomain group object with that of the source domain sid and in doing so creating an entry in the ADMT database that will be read by the security translation / user migration wizards. ditto for Domain Users However this ADMT process is failing with the following error codes; ERR2: 7085 Replace failed rc=1371 Cannot perform this operation on builtin accounts for me am i not right to say that the above groups are not in fact builtin accounts but "well known accounts" ?? saw one post back that documented the use of a manual process (cloneprincipal) to acheive the population of the sidhistroy but this will not allow us to acheive the requirement of security translation any clues ?? GT List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
